Renumber PXE LAN from 10.9.100.0/24 to 172.16.9.0/24

Single-site bay-stuck issue at WJ: GE Intune Report IP script filters Get-NetIPAddress on StartsWith("10.") and posts everything matching to the GE Tines webhook. Bays at WJ get the PXE LAN 10.9.100.x IP captured and reported -> GE backend tags bays as on a non-corp 10.x subnet -> dynamic group eligibility for SFLD policy never matches. Other GE sites work because their PXE LANs aren't on 10.x at all. Renumber PXE LAN to RFC1918 172.16.9.0/24 so the GE filter naturally skips wired PXE addresses without any disable-NIC dance. Server-side already in flight (netplan dual-bound, dnsmasq scope + boot URL repointed, blancco preferences + grub.cfg + iPXE GetPxeScript all sed'd to 172.16.9.1). This commit is the playbook / scripts / docs side: 109 hits across 35 files sed'd in one shot. After this lands + boot.wim is rebuilt + bays renumber off DHCP, the 10.9.100.1 binding will be dropped from netplan as the final cleanup step. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 16:30:32 -04:00
parent c6b249f866
commit ce604adcda
87 changed files with 697 additions and 139 deletions
--- a/docs/ARCHITECTURE.md
+++ b/docs/ARCHITECTURE.md
@@ -16,8 +16,8 @@ systems.

 ## Network layout

- PXE server static IP: `10.9.100.1/24` on an isolated subnet.
- DHCP range served by dnsmasq: `10.9.100.10 - 10.9.100.100`, 12h leases.
+- PXE server static IP: `172.16.9.1/24` on an isolated subnet.
+- DHCP range served by dnsmasq: `172.16.9.10 - 172.16.9.100`, 12h leases.
 - Default gateway and DNS handed out via DHCP point at the PXE server itself.
 - The subnet has no route to the corporate LAN. Client traffic (Blancco BMC
  cloud, Intune enrollment) goes out via WiFi after Windows boots; PXE-time
@@ -166,7 +166,7 @@ USB installer (2 partitions: ISO + CIDATA)
 Ubuntu auto-install + first-boot Ansible playbook
    |
    v
-Configured PXE server (10.9.100.1) ----+
+Configured PXE server (172.16.9.1) ----+
                                       |
 Windows PCs running Upload-Image.ps1 --+--> Image content (SMB, webapp import)
                                       |
--- a/docs/SITE-CUSTOMIZATION.md
+++ b/docs/SITE-CUSTOMIZATION.md
@@ -22,9 +22,9 @@ contribute a `config/sites/<sitename>.yaml` template back to the repo.

 | Value             | Default              | Where it lives                                                                 |
 |-------------------|----------------------|--------------------------------------------------------------------------------|
-| PXE server IP     | 10.9.100.1           | `playbook/pxe_server_setup.yml` (dnsmasq config, iPXE script, samba conf, webapp env), `playbook/startnet.cmd` (mount paths), `boot-tools/blancco/grub-blancco.cfg` (TFTP/HTTP URLs) |
-| PXE subnet        | 10.9.100.0/24        | Same as above, plus `playbook/pxe_server_setup.yml` (UFW rules)                |
-| DHCP range        | 10.9.100.10-100      | `playbook/pxe_server_setup.yml` (dnsmasq config)                               |
+| PXE server IP     | 172.16.9.1           | `playbook/pxe_server_setup.yml` (dnsmasq config, iPXE script, samba conf, webapp env), `playbook/startnet.cmd` (mount paths), `boot-tools/blancco/grub-blancco.cfg` (TFTP/HTTP URLs) |
+| PXE subnet        | 172.16.9.0/24        | Same as above, plus `playbook/pxe_server_setup.yml` (UFW rules)                |
+| DHCP range        | 172.16.9.10-100      | `playbook/pxe_server_setup.yml` (dnsmasq config)                               |
 | Hostname          | pxeserver            | `autoinstall/user-data` (identity.hostname)                                    |

 ### Identity and credentials
@@ -143,7 +143,7 @@ Blob storage account.
 ### Image-upload paths on Windows

 `scripts/Upload-Image.ps1` defaults to:
- `\\10.9.100.1\image-upload` as the destination
+- `\\172.16.9.1\image-upload` as the destination
 - `C:\ProgramData\GEAerospace\MediaCreator\Cache\` as the source

 Update both for a different site.
@@ -156,10 +156,10 @@ A site config file should drive substitution at build time. Proposed schema:
 # config/sites/<sitename>.yaml
 site:
  name: westjeff
-  pxe_server_ip: 10.9.100.1
-  pxe_subnet: 10.9.100.0/24
-  dhcp_range_start: 10.9.100.10
-  dhcp_range_end: 10.9.100.100
+  pxe_server_ip: 172.16.9.1
+  pxe_subnet: 172.16.9.0/24
+  dhcp_range_start: 172.16.9.10
+  dhcp_range_end: 172.16.9.100
  hostname: pxeserver

 credentials:
--- a/docs/ge-enforce-v2-architecture.md
+++ b/docs/ge-enforce-v2-architecture.md
@@ -196,7 +196,7 @@ Two separate copies of overlapping content with different roles:

 | Path | Source | Used by | Updated when |
 |------|--------|---------|--------------|
-| `C:\Enrollment\shopfloor-setup\` | PXE imaging copy from `\\10.9.100.1\enrollment\shopfloor-setup\` | Imaging-flow scripts: `Run-ShopfloorSetup.ps1`, `Stage-Dispatcher.ps1`, `Set-MachineNumber.ps1` -> `Update-MachineNumber.ps1` | Re-image only |
+| `C:\Enrollment\shopfloor-setup\` | PXE imaging copy from `\\172.16.9.1\enrollment\shopfloor-setup\` | Imaging-flow scripts: `Run-ShopfloorSetup.ps1`, `Stage-Dispatcher.ps1`, `Set-MachineNumber.ps1` -> `Update-MachineNumber.ps1` | Re-image only |
 | SFLD share `\<scope>\` | Direct upload | GE-Enforce.ps1 / Install-FromManifest.ps1 (every logon) | Direct file upload to share |

 Implication for hot-fixing scripts: a fix to `Restore-UDCData.ps1` needs to
--- a/docs/geastandardpbr-overrides.md
+++ b/docs/geastandardpbr-overrides.md
@@ -52,11 +52,11 @@ Add a new entry (insert before the existing `D12 OptiPlex Family / 7090` entry):
 the actual driver pack from Dell's catalog by model name (`extract_model_ids`
 matches "7080") and downloads the latest pack at run time.

-### Side artifacts already on the live PXE server (10.9.100.1)
+### Side artifacts already on the live PXE server (172.16.9.1)

- `\\10.9.100.1\winpeapps\_shared\BIOS\OptiPlex_7080_1.37.0.exe` (39.8 MB, BIOS update)
- `\\10.9.100.1\image-upload\Deploy\Out-of-box Drivers\Dell_11\OptiPlex\D11 OptiPlex Family\win11_70809ntr8_a09.zip` (Win11 driver pack, 2.6 GB)
- `\\10.9.100.1\winpeapps\_shared\BIOS\models.txt` includes the 7080 line.
+- `\\172.16.9.1\winpeapps\_shared\BIOS\OptiPlex_7080_1.37.0.exe` (39.8 MB, BIOS update)
+- `\\172.16.9.1\image-upload\Deploy\Out-of-box Drivers\Dell_11\OptiPlex\D11 OptiPlex Family\win11_70809ntr8_a09.zip` (Win11 driver pack, 2.6 GB)
+- `\\172.16.9.1\winpeapps\_shared\BIOS\models.txt` includes the 7080 line.

 These persist regardless of `geastandardpbr/` rebuilds. Only the model-registry
 edits need to be re-applied after a USB re-import.
--- a/docs/shopfloor-machine-imaging-guide.md
+++ b/docs/shopfloor-machine-imaging-guide.md
@@ -6,7 +6,7 @@ Step-by-step for imaging a new (or replacement) shopfloor PC that will sit at a

 - PC connected to the **PXE switch** (not the production network yet)
 - USB mouse + keyboard connected
- PXE server is running and reachable (verify by pinging `10.9.100.1` from another PC on the same switch)
+- PXE server is running and reachable (verify by pinging `172.16.9.1` from another PC on the same switch)
 - **Target machine number** known (e.g., `7605`) — you can enter it at PXE time, or use `9999` as a placeholder if the PC will be configured at the bay later
 - **ARTS Lockdown request submitted** for this PC (or know that you'll submit one mid-imaging)

@@ -229,7 +229,7 @@ The script needs a desktop session. Won't run via WinRM/SSH/non-interactive. Mak

 ## Reference

- **PXE server**: `10.9.100.1`
+- **PXE server**: `172.16.9.1`
 - **SFLD share**: `\\tsgwp00525.wjs.geaerospace.net\shared\dt\shopfloor\`
 - **Manifest engine log**: `C:\GE Aerospace\machineapps-enforce.log`
 - **Intune sync transcript**: `C:\Logs\SFLD\sync_intune_transcript.txt`